docker.recipes

HashiCorp Vault

advanced

Secrets management and data protection platform.

Overview

HashiCorp Vault is an industry-standard secrets management and data protection platform that secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other sensitive data. Originally developed by HashiCorp in 2015, Vault addresses the critical security challenge of managing secrets in modern distributed applications by providing centralized secret storage, dynamic secret generation, and comprehensive audit logging. Unlike traditional static credential storage, Vault treats secrets as ephemeral resources with defined lifecycles, automatically rotating credentials and revoking access when no longer needed. This deployment combines Vault with HashiCorp Consul as the storage backend, creating a highly available and resilient secrets management infrastructure. Consul serves as Vault's distributed storage layer, providing consistent data replication, health checking, and service discovery capabilities that enable Vault to maintain state across multiple instances. The integration allows Vault to leverage Consul's Raft consensus algorithm for data consistency and provides the foundation for multi-datacenter secret management deployments. This stack is ideal for organizations implementing zero-trust security models, DevOps teams managing credentials across multiple environments, and enterprises requiring centralized certificate authority and PKI management. The Vault-Consul combination provides enterprise-grade secrets management with the flexibility to integrate with existing authentication systems like LDAP, Active Directory, AWS IAM, and Kubernetes service accounts, making it valuable for both cloud-native startups and traditional enterprises modernizing their security infrastructure.

Key Features

  • Dynamic secrets generation with automatic credential rotation for databases, cloud providers, and SSH access
  • Encryption-as-a-Service providing application-layer encryption without requiring cryptographic expertise
  • Policy-based access control with fine-grained permissions using HashiCorp Configuration Language (HCL)
  • Multiple authentication methods including LDAP, AWS IAM, GitHub, Kubernetes, and multi-factor authentication
  • Comprehensive audit logging with detailed access trails for compliance and security monitoring
  • PKI secrets engine for certificate authority operations and automated certificate lifecycle management
  • Consul integration providing distributed storage backend with automatic failover and data replication
  • Secret leasing and renewal system with automatic revocation of expired credentials

Common Use Cases

  • 1Database credential rotation for applications accessing PostgreSQL, MySQL, MongoDB, and other databases
  • 2PKI certificate management for internal services, microservices TLS, and client certificate authentication
  • 3Cloud provider credential management for AWS, Azure, and GCP with time-limited access tokens
  • 4SSH certificate authority for secure server access without managing individual SSH keys
  • 5Application secret injection for containerized workloads and Kubernetes deployments
  • 6Transit encryption for encrypting application data at rest and in transit without managing keys
  • 7Compliance environments requiring detailed audit trails and centralized secret governance

Prerequisites

  • Minimum 512MB RAM available (256MB for Vault + 256MB for Consul)
  • Ports 8200 (Vault API/UI) and 8500 (Consul UI) available and not in use
  • Basic understanding of HashiCorp Configuration Language (HCL) for Vault policies
  • Familiarity with public key infrastructure (PKI) concepts for certificate management
  • Network access planning for integration with authentication backends like LDAP or cloud IAM
  • Understanding of your organization's secret management requirements and compliance needs

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  vault: 
3    image: hashicorp/vault:latest
4    container_name: vault
5    cap_add: 
6      - IPC_LOCK
7    environment: 
8      - VAULT_ADDR=http://0.0.0.0:8200
9      - VAULT_API_ADDR=http://0.0.0.0:8200
10      - VAULT_DEV_ROOT_TOKEN_ID=${VAULT_DEV_TOKEN}
11    volumes: 
12      - vault-data:/vault/data
13      - vault-logs:/vault/logs
14      - ./vault-config.hcl:/vault/config/vault.hcl:ro
15    ports: 
16      - "8200:8200"
17    command: server
18    depends_on: 
19      - consul
20    networks: 
21      - vault-network
22    restart: unless-stopped
23
24  consul: 
25    image: hashicorp/consul:latest
26    container_name: consul
27    command: agent -server -bootstrap-expect=1 -ui -client=0.0.0.0
28    environment: 
29      - CONSUL_BIND_INTERFACE=eth0
30    volumes: 
31      - consul-data:/consul/data
32    ports: 
33      - "8500:8500"
34      - "8600:8600/udp"
35    networks: 
36      - vault-network
37    restart: unless-stopped
38
39volumes: 
40  vault-data: 
41  vault-logs: 
42  consul-data: 
43
44networks: 
45  vault-network: 
46    driver: bridge

.env Template

.env
1# HashiCorp Vault
2VAULT_DEV_TOKEN=myroot
3
4# For production, use proper initialization:
5# vault operator init
6# vault operator unseal

Usage Notes

  1. 1Vault UI at http://localhost:8200
  2. 2Consul UI at http://localhost:8500
  3. 3Initialize: vault operator init
  4. 4Unseal with 3 of 5 keys
  5. 5Store secrets, certificates, credentials

Individual Services(2 services)

Copy individual services to mix and match with your existing compose files.

vault
vault:
  image: hashicorp/vault:latest
  container_name: vault
  cap_add:
    - IPC_LOCK
  environment:
    - VAULT_ADDR=http://0.0.0.0:8200
    - VAULT_API_ADDR=http://0.0.0.0:8200
    - VAULT_DEV_ROOT_TOKEN_ID=${VAULT_DEV_TOKEN}
  volumes:
    - vault-data:/vault/data
    - vault-logs:/vault/logs
    - ./vault-config.hcl:/vault/config/vault.hcl:ro
  ports:
    - "8200:8200"
  command: server
  depends_on:
    - consul
  networks:
    - vault-network
  restart: unless-stopped
consul
consul:
  image: hashicorp/consul:latest
  container_name: consul
  command: agent -server -bootstrap-expect=1 -ui -client=0.0.0.0
  environment:
    - CONSUL_BIND_INTERFACE=eth0
  volumes:
    - consul-data:/consul/data
  ports:
    - "8500:8500"
    - 8600:8600/udp
  networks:
    - vault-network
  restart: unless-stopped

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  vault:
5    image: hashicorp/vault:latest
6    container_name: vault
7    cap_add:
8      - IPC_LOCK
9    environment:
10      - VAULT_ADDR=http://0.0.0.0:8200
11      - VAULT_API_ADDR=http://0.0.0.0:8200
12      - VAULT_DEV_ROOT_TOKEN_ID=${VAULT_DEV_TOKEN}
13    volumes:
14      - vault-data:/vault/data
15      - vault-logs:/vault/logs
16      - ./vault-config.hcl:/vault/config/vault.hcl:ro
17    ports:
18      - "8200:8200"
19    command: server
20    depends_on:
21      - consul
22    networks:
23      - vault-network
24    restart: unless-stopped
25
26  consul:
27    image: hashicorp/consul:latest
28    container_name: consul
29    command: agent -server -bootstrap-expect=1 -ui -client=0.0.0.0
30    environment:
31      - CONSUL_BIND_INTERFACE=eth0
32    volumes:
33      - consul-data:/consul/data
34    ports:
35      - "8500:8500"
36      - "8600:8600/udp"
37    networks:
38      - vault-network
39    restart: unless-stopped
40
41volumes:
42  vault-data:
43  vault-logs:
44  consul-data:
45
46networks:
47  vault-network:
48    driver: bridge
49EOF
50
51# 2. Create the .env file
52cat > .env << 'EOF'
53# HashiCorp Vault
54VAULT_DEV_TOKEN=myroot
55
56# For production, use proper initialization:
57# vault operator init
58# vault operator unseal
59EOF
60
61# 3. Start the services
62docker compose up -d
63
64# 4. View logs
65docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/hashicorp-vault/run | bash

Troubleshooting

  • Vault sealed state after restart: Run 'vault operator unseal' with threshold number of unseal keys from initialization
  • Consul connection refused errors: Verify Consul container is running and accessible on port 8500 before starting Vault
  • Permission denied accessing secrets: Check Vault policies attached to your authentication token using 'vault token lookup'
  • Vault initialization hanging: Ensure IPC_LOCK capability is granted to prevent memory swapping issues
  • High availability setup failing: Verify Consul cluster has odd number of nodes and proper network connectivity between instances
  • Authentication backend integration failing: Confirm network connectivity to LDAP/AD servers and verify service account permissions

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

vaultconsul

Tags

#secrets#vault#hashicorp#security#encryption

Category

Security & Networking

Related Recipes

Ad Space